New-AdfsAccessControlPolicy
Creates an AD FS access control policy.
Syntax
New-AdfsAccessControlPolicy
-Name <String>
[-SourceName <String>]
[-Identifier <String>]
[-Description <String>]
[-PolicyMetadata <PolicyMetadata>]
[-PolicyMetadataFile <String>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Description
The New-AdfsAccessControlPolicy cmdlet creates an Active Directory Federation Services (AD FS) access control policy from a policy metadata file.
How to create a federation metadata file
The federation metadata document is an XML file that is available for download. To retrieve your document, enter your federation service name, and then select the Get federation metadata button.
Examples
Example 1: Create a policy template from a policy metadata file
PS C:\> $t=New-AdfsAccessControlPolicy -Name "DemoOne" -PolicyMetadataFile "C:\filepath\ PolicyTemplateIntranetWithOneGroupParameterMFA.xml"This command creates a policy template from a policy metadata file.
Example 2: Create a relying party using the policy template
PS C:\> Add-AdfsRelyingPartyTrust -Name "DemoRP1" -Identifier "https://DemoRP1" -AccessControlPolicyName DemoOne -AccessControlPolicyParameters "Administrators"This command creates a relying party using the policy template.
Example 3: Change parameters
PS C:\> Set-AdfsRelyingPartyTrust -TargetName "DemoRP1" -AccessControlPolicyParameters ("Administrators","Users") -AccessControlPolicyName "DemoOne"This command changes parameters for an access control policy.
Example 4: Un-assign a policy template
PS C:\> Set-AdfsRelyingPartyTrust -TargetName "DemoRP1" -AccessControlPolicyName $nullThis command un-assigns a policy template.
Example 5: Create a policy template from an existing template
PS C:\> New-AdfsAccessControlPolicy -Name "DemoCopyOne" -SourceName "DemoOne"This command creates a policy template from an existing template.
Example 6: Create a policy template from existing metadata
PS C:\> New-AdfsAccessControlPolicy -Name "DemoCopyTwo" -PolicyMetadata $t.PolicyMetadataThis command creates a policy template from existing metadata. The $t variable is an object from New-AccessControlPolicy.
Example 7: Create a policy template from a relying party result policy
PS C:\> New-AdfsAccessControlPolicy -Name "DemoCopyWithAssignment" -PolicyMetadata $r.ResultantPolicyThis command creates a policy template from a relying party result policy. The $r variable is the object returned from Get-AdfsRelyingPartyTrust.
Example 8: Change the relying party to use a new template
PS C:\> Set-AdfsRelyingPartyTrust -TargetName "DemoRP1" -AccessControlPolicyName "DemoTwo" -AccessControlPolicyParameters @{PermitGroup="Users";RejectGroup="Administrators"}This command changes the relying party to use a new template.
Example 9: Complicated conditions with specific claims
PS C:\> Set-AdfsRelyingPartyTrust -TargetName "DemoRP1" -AccessControlPolicyName DemoRP -AccessControlPolicyParameters`
@{"SPParameter"= @{ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/OfficeLocation"; Operator="Equals"; Value="Redmond"}}Example 10: Two specific claims for single parameter
PS C:\> Set-AdfsRelyingPartyTrust -TargetName "DemoRP1" -AccessControlPolicyName "DemoRP" -AccessControlPolicyParameters`
@{"SPParameter"= (@{ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/OfficeLocation"; Operator="Equals"; Value=("Redmond","DC")},`
@{ClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Department"; Operator="Equals"; Value="Azure"})}Parameters
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Description
Specifies a description.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Identifier
Specifies an ID.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Name
Specifies a name.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PolicyMetadata
Specifies metadata for the policy.
| Type: | PolicyMetadata |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PolicyMetadataFile
Specifies a file that contains metadata for the policy.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SourceName
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |